Security update for webkit2gtk3

Announcement ID:	SUSE-SU-2024:1269-1
Rating:	important
References:	bsc#1222010
Cross-References:	CVE-2023-42843 CVE-2023-42950 CVE-2023-42956 CVE-2024-23252 CVE-2024-23254 CVE-2024-23263 CVE-2024-23280 CVE-2024-23284
CVSS scores:	CVE-2023-42843 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2023-42950 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-42950 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-42956 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2023-42956 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2024-23252 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2024-23254 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2024-23263 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2024-23280 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2024-23284 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Affected Products:	SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3

An update that solves eight vulnerabilities can now be installed.

Description:

This update for webkit2gtk3 fixes the following issues:

• CVE-2024-23252: Fixed denial of service via crafted web content (bsc#1222010).
• CVE-2024-23254: Fixed possible audio data exilftration cross-origin via malicious website (bsc#1222010).
• CVE-2024-23263: Fixed lack of Content Security Policy enforcing via malicious crafted web content (bsc#1222010).
• CVE-2024-23280: Fixed possible user fingeprint via malicious crafted web content (bsc#1222010).
• CVE-2024-23284: Fixed lack of Content Security Policy enforcing via malicious crafted web content (bsc#1222010).
• CVE-2023-42950: Fixed arbitrary code execution via crafted web content (bsc#1222010).
• CVE-2023-42956: Fixed denial of service via crafted web content (bsc#1222010).
• CVE-2023-42843: Fixed address bar spoofing via malicious website (bsc#1222010).

Other fixes:

• Update to version 2.44.0 (bsc#1222010):
• Make the DOM accessibility tree reachable from UI process with
  GTK4.
• Removed the X11 and WPE renderers in favor of DMA-BUF.
• Improved vblank synchronization when rendering.
• Removed key event reinjection in GTK4 to make keyboard
  shortcuts work in web sites.
• Fix gamepads detection by correctly handling focused window in
  GTK4.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-1269=1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-1269=1
• SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-1269=1
• SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-1269=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP2
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2024-1269=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP3
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2024-1269=1
• SUSE Enterprise Storage 7.1
  zypper in -t patch SUSE-Storage-7.1-2024-1269=1

Package List:

• SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (aarch64 x86_64)
  • webkit2gtk-4_0-injected-bundles-2.44.0-150200.107.1
  • webkit2gtk3-devel-2.44.0-150200.107.1
  • libwebkit2gtk-4_0-37-debuginfo-2.44.0-150200.107.1
  • typelib-1_0-JavaScriptCore-4_0-2.44.0-150200.107.1
  • webkit2gtk-4_0-injected-bundles-debuginfo-2.44.0-150200.107.1
  • webkit2gtk3-debugsource-2.44.0-150200.107.1
  • typelib-1_0-WebKit2-4_0-2.44.0-150200.107.1
  • libjavascriptcoregtk-4_0-18-2.44.0-150200.107.1
  • typelib-1_0-WebKit2WebExtension-4_0-2.44.0-150200.107.1
  • libjavascriptcoregtk-4_0-18-debuginfo-2.44.0-150200.107.1
  • libwebkit2gtk-4_0-37-2.44.0-150200.107.1
• SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch)
  • libwebkit2gtk3-lang-2.44.0-150200.107.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64 x86_64)
  • webkit2gtk-4_0-injected-bundles-2.44.0-150200.107.1
  • webkit2gtk3-devel-2.44.0-150200.107.1
  • libwebkit2gtk-4_0-37-debuginfo-2.44.0-150200.107.1
  • typelib-1_0-JavaScriptCore-4_0-2.44.0-150200.107.1
  • webkit2gtk-4_0-injected-bundles-debuginfo-2.44.0-150200.107.1
  • webkit2gtk3-debugsource-2.44.0-150200.107.1
  • typelib-1_0-WebKit2-4_0-2.44.0-150200.107.1
  • libjavascriptcoregtk-4_0-18-2.44.0-150200.107.1
  • typelib-1_0-WebKit2WebExtension-4_0-2.44.0-150200.107.1
  • libjavascriptcoregtk-4_0-18-debuginfo-2.44.0-150200.107.1
  • libwebkit2gtk-4_0-37-2.44.0-150200.107.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch)
  • libwebkit2gtk3-lang-2.44.0-150200.107.1
• SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (aarch64 ppc64le s390x x86_64)
  • webkit2gtk-4_0-injected-bundles-2.44.0-150200.107.1
  • webkit2gtk3-devel-2.44.0-150200.107.1
  • libwebkit2gtk-4_0-37-debuginfo-2.44.0-150200.107.1
  • typelib-1_0-JavaScriptCore-4_0-2.44.0-150200.107.1
  • webkit2gtk-4_0-injected-bundles-debuginfo-2.44.0-150200.107.1
  • webkit2gtk3-debugsource-2.44.0-150200.107.1
  • typelib-1_0-WebKit2-4_0-2.44.0-150200.107.1
  • libjavascriptcoregtk-4_0-18-2.44.0-150200.107.1
  • typelib-1_0-WebKit2WebExtension-4_0-2.44.0-150200.107.1
  • libjavascriptcoregtk-4_0-18-debuginfo-2.44.0-150200.107.1
  • libwebkit2gtk-4_0-37-2.44.0-150200.107.1
• SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch)
  • libwebkit2gtk3-lang-2.44.0-150200.107.1
• SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x x86_64)
  • webkit2gtk-4_0-injected-bundles-2.44.0-150200.107.1
  • webkit2gtk3-devel-2.44.0-150200.107.1
  • libwebkit2gtk-4_0-37-debuginfo-2.44.0-150200.107.1
  • typelib-1_0-JavaScriptCore-4_0-2.44.0-150200.107.1
  • webkit2gtk-4_0-injected-bundles-debuginfo-2.44.0-150200.107.1
  • webkit2gtk3-debugsource-2.44.0-150200.107.1
  • typelib-1_0-WebKit2-4_0-2.44.0-150200.107.1
  • libjavascriptcoregtk-4_0-18-2.44.0-150200.107.1
  • typelib-1_0-WebKit2WebExtension-4_0-2.44.0-150200.107.1
  • libjavascriptcoregtk-4_0-18-debuginfo-2.44.0-150200.107.1
  • libwebkit2gtk-4_0-37-2.44.0-150200.107.1
• SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (noarch)
  • libwebkit2gtk3-lang-2.44.0-150200.107.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP2 (ppc64le x86_64)
  • webkit2gtk-4_0-injected-bundles-2.44.0-150200.107.1
  • webkit2gtk3-devel-2.44.0-150200.107.1
  • libwebkit2gtk-4_0-37-debuginfo-2.44.0-150200.107.1
  • typelib-1_0-JavaScriptCore-4_0-2.44.0-150200.107.1
  • webkit2gtk-4_0-injected-bundles-debuginfo-2.44.0-150200.107.1
  • webkit2gtk3-debugsource-2.44.0-150200.107.1
  • typelib-1_0-WebKit2-4_0-2.44.0-150200.107.1
  • libjavascriptcoregtk-4_0-18-2.44.0-150200.107.1
  • typelib-1_0-WebKit2WebExtension-4_0-2.44.0-150200.107.1
  • libjavascriptcoregtk-4_0-18-debuginfo-2.44.0-150200.107.1
  • libwebkit2gtk-4_0-37-2.44.0-150200.107.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch)
  • libwebkit2gtk3-lang-2.44.0-150200.107.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64)
  • webkit2gtk-4_0-injected-bundles-2.44.0-150200.107.1
  • webkit2gtk3-devel-2.44.0-150200.107.1
  • libwebkit2gtk-4_0-37-debuginfo-2.44.0-150200.107.1
  • typelib-1_0-JavaScriptCore-4_0-2.44.0-150200.107.1
  • webkit2gtk-4_0-injected-bundles-debuginfo-2.44.0-150200.107.1
  • webkit2gtk3-debugsource-2.44.0-150200.107.1
  • typelib-1_0-WebKit2-4_0-2.44.0-150200.107.1
  • libjavascriptcoregtk-4_0-18-2.44.0-150200.107.1
  • typelib-1_0-WebKit2WebExtension-4_0-2.44.0-150200.107.1
  • libjavascriptcoregtk-4_0-18-debuginfo-2.44.0-150200.107.1
  • libwebkit2gtk-4_0-37-2.44.0-150200.107.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch)
  • libwebkit2gtk3-lang-2.44.0-150200.107.1
• SUSE Enterprise Storage 7.1 (aarch64 x86_64)
  • webkit2gtk-4_0-injected-bundles-2.44.0-150200.107.1
  • webkit2gtk3-devel-2.44.0-150200.107.1
  • libwebkit2gtk-4_0-37-debuginfo-2.44.0-150200.107.1
  • typelib-1_0-JavaScriptCore-4_0-2.44.0-150200.107.1
  • webkit2gtk-4_0-injected-bundles-debuginfo-2.44.0-150200.107.1
  • webkit2gtk3-debugsource-2.44.0-150200.107.1
  • typelib-1_0-WebKit2-4_0-2.44.0-150200.107.1
  • libjavascriptcoregtk-4_0-18-2.44.0-150200.107.1
  • typelib-1_0-WebKit2WebExtension-4_0-2.44.0-150200.107.1
  • libjavascriptcoregtk-4_0-18-debuginfo-2.44.0-150200.107.1
  • libwebkit2gtk-4_0-37-2.44.0-150200.107.1
• SUSE Enterprise Storage 7.1 (noarch)
  • libwebkit2gtk3-lang-2.44.0-150200.107.1

References:

• https://www.suse.com/security/cve/CVE-2023-42843.html
• https://www.suse.com/security/cve/CVE-2023-42950.html
• https://www.suse.com/security/cve/CVE-2023-42956.html
• https://www.suse.com/security/cve/CVE-2024-23252.html
• https://www.suse.com/security/cve/CVE-2024-23254.html
• https://www.suse.com/security/cve/CVE-2024-23263.html
• https://www.suse.com/security/cve/CVE-2024-23280.html
• https://www.suse.com/security/cve/CVE-2024-23284.html
• https://bugzilla.suse.com/show_bug.cgi?id=1222010